Cryptography The language of cryptography Alice’s Bob’s K encryption A K decryption key B key plaintext encryption ciphertext decryption plaintext algorithm algorithm symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret (private) 8: Network Security 8-2 Symmetric key cryptography substitution cipher: substituting one thing for another – monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq E.g.: Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Q: How hard to break this simple cipher?: q brute force (how hard?) q other? 8: Network Security 8-3 Symmetric key cryptography K K A-B A-B plaintext encryption ciphertext decryption plaintext message, m algorithm algorithm K (m) m = K ( K (m)) A-B A-B A-B symmetric key crypto: Bob and Alice share know same (symmetric) key: K A-B • e.g., key is knowing substitution pattern in mono alphabetic substitution cipher • Q: how do Bob and Alice agree on key value? 8: Network Security 8-4 Symmetric key crypto: DES DES: Data Encryption Standard • US encryption standard [NIST 1993] • 56-bit symmetric key, 64-bit plaintext input • How secure is DES? – DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months – no known “backdoor” decryption approach • making DES more secure: – use three keys sequentially (3-DES) on each datum – use cipher-block chaining 8: Network Security 8-5 Symmetric key crypto: DES DES operation initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation 8: Network Security 8-6 AES: Advanced Encryption Standard • new (Nov. 2001) symmetric-key NIST standard, replacing DES • processes data in 128 bit blocks • 128, 192, or 256 bit keys • brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES 8: Network Security 8-7 Block Cipher 64-bit input 8bits 8bits 8bits 8bits 8bits 8bits 8bits 8bits loop for n rounds T T T T1 2 3 T4 T5 T6 T7 8 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits • one pass 64-bit scrambler through: one input bit affects eight output bits 64-bit output r multiple passes: each input bit afects all output bits r block ciphers: DES, 3DES, AES 8: Network Security 8-8 Cipher Block Chaining • cipher block: if input m(1) = “HTTP/1.1” c(1) = “k329aM02” t=1 block block repeated, will cipher … produce same cipher m(17) = “HTTP/1.1” c(17) = “k329aM02” t=17 block text: cipher r cipher block chaining: XOR ith input block, m(i), with previous block of cipher m(i) text, c(i-1) m c(0) transmitted to c(i-1) + receiver in clear m what happens in block “HTTP/1.1” scenario cipher from above? c(i) 8: Network Security 8-9 Public key cryptography symmetric key crypto public key cryptography • requires sender, receiver r radically different approach [Diffie-Hellman76, RSA78] know shared secret key r sender, receiver do not • Q: how to agree on key in share secret key first place (particularly if r public encryption key known to all never “met”)? r private decryption key known only to receiver 8-10 8: Network Security Public key cryptography + K Bob’s public B key K - Bob’s private B key plaintext encryption ciphertext decryption plaintext algorithm + algorithm message, m K (m) message B m = K - (K + (m)) B B 8: Network Security 8-11 Public key encryption algorithms Requirements: + - 1 . need KB ( ) and K B ( .) such that - + K B (KB (m)) = m + 2 given public key KB , it should be impossible to- compute private key KB RSA: Rivest, Shamir, Adleman algorithm 8: Network Security 8-12 RSA: Choosing keys 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = phi(n)=(p-1)(q-1) 3. Choose e (with b<n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d). - K + K B B 8-13 RSA: Encryption, decryption 0. Given (n,b) and (n,a) as computed above 1. To encrypt bit pattern, m, compute e e x = m mod n (i.e., remainder when m is divided by n) 2. To decrypt received bit pattern, c, compute d d m = x mod n (i.e., remainder when c is divided by n) Magic e d happens! m = (m mod n) mod n x 8: Network Security 8-14 RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z. e e letter m m c = m mod n encrypt: l 12 1524832 17 d c c d letter decrypt: m = c mod n 17 481968572106750915091411825223071697 12 l 8: Network Security 8-15 e d RSA: Why is that m = (m mod n) mod n Useful number theory result: If p,q prime and n = pq, then: y y mod (p-1)(q-1) x mod n = x mod n e d ed (m mod n) mod n = m mod n ed mod (p-1)(q-1) = m mod n (using number theory result above) 1 = m mod n (since we chose ed to be divisible by (p-1)(q-1) with remainder 1 ) = m 8: Network Security 8-16 RSA: another important property The following property will be very useful later: - + + - K K (m) = m = B( B ) K B (K B (m)) use public key use private key first, followed first, followed by private key by public key Result is the same! 8: Network Security 8-17 Message Integrity Bob receives msg from Alice, wants to ensure: • message originally came from Alice • message not changed since sent by Alice Cryptographic Hash: • takes input m, produces fixed length value, H(m) – e.g., as in Internet checksum • computationally infeasible to find two different messages, x, y such that H(x) = H(y) – equivalently: given m = H(x), (x unknown), can not determine x. – note: Internet checksum fails this requirement! 8: Network Security 8-18 Internet checksum: poor crypto hash function Internet checksum has some properties of hash function: ü produces fixed length digest (16-bit sum) of message ü is many-to-one But given message with given hash value, it is easy to find another message with same hash value: message ASCII format message ASCII format I O U 1 49 4F 55 31 I O U 9 49 4F 55 39 0 0 . 9 30 30 2E 39 0 0 . 1 30 30 2E 31 9 B O B 39 42 4F 42 9 B O B 39 42 4F 42 B2 C1 D2 AC different messages B2 C1 D2 AC but identical checksums! 8: Network Security 8-19 Message Authentication Code (shared secret) s H(m+s) H(.) (message) m m H(m+s) public m append compare Internet H(m+s) H(.) H(m+s) s (shared secret) 8: Network Security 8-20 MACs in practice • MD5 hash function widely used (RFC 1321) – computes 128-bit MAC in 4-step process. – arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x • recent (2005) attacks on MD5 • SHA-1 is also used – US standard [NIST, FIPS PUB 180-1] – 160-bit MAC 8: Network Security 8-21 Digital Signatures cryptographic technique analogous to hand-written signatures. • sender (Bob) digitally signs document, establishing he is document owner/creator. • verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document 8: Network Security 8-22 Digital Signatures simple digital signature for message m: - • Bob “signs” m by encrypting with his private key KB, - creating “signed” message, KB(m) - Bob’s private - Bob’s message, m K K (m) B key B !"#$%&'()" *+,-.%/"..#0"1% !"#$"%&$'$"()*$+,--*.$ public key /%01$'$2",34$%5$/%0$(66$2"*$ /1%.(02"3% 2,+*7$89:6("$:6("$:6("; encryption 4"2)$567"38%9(7:% algorithm :(.%6$(;#7"%<"5 *+, 8: Network Security 8-23 Digital Signatures (more) > • suppose Alice receives msg m, digital signature KB(m) = • Alice verifies m signed by Bob by applying Bob’s public key KB > = > to KB(m) then checks KB(KB(m) ) = m. = > • if KB(KB(m) ) = m, whoever signed m must have used Bob’s private key. Alice thus verifies that: ü Bob signed m. ü No one else signed m. ü Bob signed m and not m’. non-repudiation: > ü Alice can take m, and signature KB(m) to court and prove that Bob signed m. 8: Network Security 8-24 Digital signature = signed MAC Alice verifies signature and integrity Bob sends digitally signed of digitally signed message: message: large message H: hash H(m) encrypted m function msg digest - KB(H(m)) Bob’s digital large private signature message Bob’s key - (encrypt) m digital K B public + signature key K encrypted H: hash B (decrypt) msg digest function - + KB(H(m)) H(m) H(m) equal ? 8-25 8: Network Security Public Key Certification public key problem: • When Alice obtains Bob’s public key (from web site, e-mail, diskette), how does she know it is Bob’s public key, not Trudy’s? solution: • trusted certification authority (CA) 8: Network Security 8-26 Certification Authorities • Certification Authority (CA): binds public key to particular entity, E.